{ "id": "4caaf1cd-88fb-4af2-a85e-3a81f346958a", "created_at": "2026-04-06T00:17:55.996927Z", "updated_at": "2026-04-10T03:31:40.619003Z", "deleted_at": null, "sha1_hash": "825b66ab3dee4cdfa12dd4877b2ac5dc910f6dd6", "title": "Examining XLoader, FakeSpy, and the Yanbian Gang", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 575128, "plain_text": "Examining XLoader, FakeSpy, and the Yanbian Gang\r\nBy By: Lorin Wu, Ecular Xu Nov 26, 2018 Read time: 3 min (747 words)\r\nPublished: 2018-11-26 · Archived: 2026-04-05 16:14:04 UTC\r\nXLoader and FakeSpy are two of the most prevalent malware families that emerged from the mobile threat\r\nlandscape recently. We first reported about XLoader in April 2018 when it used Domain Name System (DNS)\r\ncache poisoning/DNS spoofing to victimize users with malicious Android apps that steal PII and financial data\r\nand install additional apps. Meanwhile, we released our findings on FakeSpy in June after it infected Android\r\nusers via SMS phishing or SMiShing to launch info-stealing attacks.\r\nAs of October, there have been a total of 384,748 victims from XLoader and FakeSpy attacks globally, with the\r\nmajority of victims coming from South Korea and Japan.\r\nFigure 1. Monthly infection count for XLoader and FakeSpy attacks this year\r\nWhen we released our initial findings on XLoader and FakeSpy, they appeared to have nothing to do with each\r\nother. However, our new research uncovered clues that could indicate that they are either being operated by the\r\nsame threat actor group or that their operators are affiliated with each other.\r\nXLoader and FakeSpy posed as legitimate apps of a Japanese home delivery service company\r\nThe first clue that led to the discovery of the connection between XLoader and FakeSpy is when the former was\r\nobserved disguising as a legitimate app of a major Japanese home delivery service company in June. Interestingly,\r\nhttps://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html\r\nPage 1 of 6\n\nalmost all FakeSpy variants posed as the abovementioned Japanese apps to steal sensitive information from users.\r\nDigging deeper into the activities of XLoader and FakeSpy, we learned that they use the same ecosystem to\r\ndeploy malware. We used VirusTotal to search for an XLoader sample\r\n(bf0ad39d8a19b9bc385fb629e3227dec4012e1f5a316e8a30c932202624e8e0e) in July and learned that the sample\r\nwas downloaded from a malicious domain posing under the name of the said home delivery service company.\r\nWhen we analyzed a FakeSpy sample\r\n(ba5b85a4dd70b96f4a43bda5eb66e546facc4e3523f78a91fc01c768c6de5c24) over a month later, we discovered\r\nthat it was downloaded from the same malicious domain.\r\nFigure 2. VirusTotal showing details of an XLoader sample coming from the abovementioned domain\r\nFigure 3. A FakeSpy sample was found to have been downloaded from the same domain\r\nMultiple XLoader and FakeSpy samples also showed the same results. As of this writing, we identified 126\r\ndomains that XLoader and FakeSpy shared for deploying malware (see complete IoC list in the research paper).\r\nIn addition, we saw similarities in XLoader and FakeSpy’s methods involving their C\u0026C addresses. Some of their\r\nvariants abuse social media user profiles to hide their real C\u0026C addresses.\r\nhttps://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html\r\nPage 2 of 6\n\nFigure 4. XLoader hiding its real C\u0026C address in a social media user profile. Note: Through active cooperation\r\nwith vendors that own the involved domains mentioned in this research, the user profile pages and accounts have\r\nbeen blocked.\r\nFigure 5. The IP address is written on social media profiles, always starting with ^^ and ends with $$. When the\r\napp is launched, it will access the page and parse contents to get the real C\u0026C address.\r\nThe Yanbian Gang connection\r\nAnalyzing the code structure and behavior of XLoader and FakeSpy, we were able to correlate the latter’s samples\r\nto those of the Yanbian Gang, a Chinese cybercriminal group infamous for stealing money from account holders\r\nof South Korean banks.\r\nAside from the fact that FakeSpy and Yanbian apps targeted online banking users in Japan and South Korea, we\r\nalso learned that both operators used malware with similar code:\r\nhttps://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html\r\nPage 3 of 6\n\nFigure 6. Code from a Yanbian Gang app\r\nhttps://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html\r\nPage 4 of 6\n\nFigure 7. Code from a FakeSpy app\r\nhttps://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html\r\nPage 5 of 6\n\nFigure 8. The malicious app from the Yanbian Gang (top) and a FakeSpy sample (bottom) share similar metadata\r\ncontaining the infected devices’ information and C\u0026C server path.\r\nWHOIS results revealed that the registrants of FakeSpy and XLoader's shared malicious domains (for the fake\r\napps of the Japanese home delivery service company) are from China. The registrants’ phone numbers also appear\r\nto originate from the Jilin Province, which was known as the Yanbian Gang members’ location.\r\nConsidering all information gathered from our research, we can speculate that the Yanbian Gang has possible\r\nconnections to FakeSpy and XLoader. However, it could just also mean that two different sets of threat actors or\r\ngroups are using the same service or deployment infrastructure. Nevertheless, the prevalence of XLoader and\r\nFakeSpy should remind users to always follow best practices on mobile security.\r\nFor more details on XLoader and FakeSpy’s behavior, targets, infrastructure, attack vectors, and how they evolved\r\nover the years, check out our research paper titled “The Evolution of XLoader and FakeSpy: Two Interconnected\r\nAndroid Malware Families.”\r\nSource: https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-wit\r\nh-the-yanbian-gang.html\r\nhttps://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html" ], "report_names": [ "a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html" ], "threat_actors": [ { "id": "4c5a35bf-f483-463e-aea0-89a795698cff", "created_at": "2023-01-06T13:46:39.198624Z", "updated_at": "2026-04-10T02:00:03.243996Z", "deleted_at": null, "main_name": "Yanbian Gang", "aliases": [], "source_name": "MISPGALAXY:Yanbian Gang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8f350ed9-134e-4160-b63d-701f562ba64a", "created_at": "2022-10-25T16:07:24.589322Z", "updated_at": "2026-04-10T02:00:05.045635Z", "deleted_at": null, "main_name": "Yanbian Gang", "aliases": [], "source_name": "ETDA:Yanbian Gang", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434675, "ts_updated_at": 1775791900, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/825b66ab3dee4cdfa12dd4877b2ac5dc910f6dd6.pdf", "text": "https://archive.orkl.eu/825b66ab3dee4cdfa12dd4877b2ac5dc910f6dd6.txt", "img": "https://archive.orkl.eu/825b66ab3dee4cdfa12dd4877b2ac5dc910f6dd6.jpg" } }